If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Another Internet Explorer flaw found

A computer science researcher has highlighted the shortcomings of Microsoft's latest patch for its Internet Explorer browser by identifying another way that online vandals could run malicious programs on a Web surfer's computer.
Microsoft on Friday released a fix that's designed to protect computers from one of three flaws that, together, could be used to digitally slip past a PC's security through the browser. This weekend, however, a security researcher identified another flaw that could serve the same purpose and that isn't fixed by Microsoft's patch.

"They chose to address only one part of the problem," said Jelmer Kuperus, a computer science student in the Netherlands who posted the code for the work-around. "They should have seen this one coming."

This marks the third time in a month that Microsoft has had to play catch-up to researchers' public disclosures about insecurities in Internet Explorer. In early June, Kuperus found a Web site that used two previously unknown vulnerabilities, plus the recently patched one, to install adware on victims' computers. Additionally, security researchers discovered last week that a milder vulnerability, which Microsoft had fixed in early versions of the browser, reappeared in later versions.

Microsoft acknowledged the latest issue and said more fixes would be forthcoming.

"The company is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for customers," a company representative told CNET News.com. The company will also "continue to actively investigate these reports."

The most recent flaw is not new--security researchers first discussed the issue in January, Kuperus said. It had originally been considered minor, but the flaw is significant because it can be used in conjunction with the two other vulnerabilities, which were found at the beginning of June. Together, all three add up to easy access to Windows computers running Internet Explorer.

"Most exploits we are seeing developed today are composed of multiple vulnerabilities, (each one) bypassing a specific security feature of Internet Explorer," Kuperus said. "Individually, many of these issues often are fairly harmless, but combined they can pose serious risk."

Both the original and the latest vulnerabilities exist in a library of components and scripting features known as ActiveX. The older flaw is in ADODB.Stream, while the latest vulnerability is in the Application.Shell component.

Vulnerabilities in IE have become so common that some security researchers are recommending that people adopt alternate browsers. The Computer Emergency Response Team, the official U.S. body responsible for defending against online threats, also advised security administrators to consider moving to a non-Microsoft browser, as one of six recommended responses.

Microsoft recommends that users go to the company's Protect Your PC site for the latest information.

And how's this supposed to protect us from this flaw?
Do you really think big enterprises will drop windows and run OpenBSD?
Heck, you don't even get them to replace IE with something else (believe me I've tried).

[edit]Oh, and don't worry I'm a very happy *BSD user[/edit]

Oliver's Law:
Experience is something you don't get until just after you need it.

Originally posted here by SirDice And how's this supposed to protect us from this flaw?
Do you really think big enterprises will drop windows and run OpenBSD?
Heck, you don't even get them to replace IE with something else (believe me I've tried).

[edit]Oh, and don't worry I'm a very happy *BSD user[/edit]

I didn't say anything about suits and Lusers getting a clue. I was just taking this opportunity
to plug for OpenBSD.

I don't use IE myself, but I constantly caution anyone- especially the security clueless- from believing the anti-Microsoft mantra that everything non-Microsoft is automatically secure. Some may be more inherently secure than others, but they all have learning curves and they all have vulnerabilities and the products are only as secure as the users keep them.

To illustrate the point, while the Microsoft bashers, and even Microsoft itself it seems, are telling everyone to jump ship because there are just too many holes in IE and the flaws exist at a fundamental design level that can't be easily patched, the competing browsers have the same or similar issues.

First there was the discovery that almost all browsers suffered from a 6 year old vulnerability that would allow an attacker to spoof a web site. Now, after Jelmer's revelation that the Microsoft "fix" was too narrow in scope and that other problems of equal magnitude still exist in IE, Secunia has released an advisory (SA12027 ) stating that almost all versions of Mozilla are vulnerable to the same exploit.

It seems to me that maybe the flaws in IE that everyone is ranting about and bashing Microsoft for exist at a more fundamental level of the browser code that exists outside of Microsoft and is used as the basis for web browsing in general. It just happens that IE has 90% or more market share for web browsers and they're an easy target when it comes to software flaws and security issues.

My point isn't so much to defend Microsoft as it is to illustrate that the competition has many of the same issues and to caution people from assuming they are secure just because they jump ship and use Mozilla or Opera or some other browser.